SCT3258 Baseband IC
Posted: Wed Nov 22, 2023 8:52 am
Hi all,
I just want to drop something here, the files below contain what seems like fairly comprehensive documentation for the CT3258/SCT3258 DMR Baseband IC:
cdn.hackaday.io/files/1642237026116832/ ... t_v2_0.pdf
cdn.hackaday.io/files/1642237026116832/ ... asheet.pdf
cdn.hackaday.io/files/1642237026116832/ ... erface.pdf
cdn.hackaday.io/files/1642237026116832/ ... _Setup.pdf
I found those a few years ago, while fooling around with the Retevis RT40 PMR/DMR Tier I radios (actually turned out to be fully Tier II compatible: hackaday.io/project/164223-retevis-rt40 ... ngineering), which use that same Baseband IC. The datasheets don't seem to be available anywhere else than on my hackaday project page anymore.
The Datasheets for the CT3258 and the SCT3258 only seem to differ in the designation of the IC and in the name of the manufacturer and since the original manufacturer Sicomm was aquired by CML Microcircuits in 2016, I'm thinking that maybe they really only changed the designation and that maybe the packet interface of the SCT3258 is backwards compatible.
Why would this be relevant? Because the SCT3258 is apparently being used as the Baseband IC in the Anytone 878.
I am absolutely amazed by what you guys have accomplished for the GD77 with incomplete documentation of the baseband IC, so I'm wondering what you might be capable of, with the possibly complete documentation of the SCT3258 and the STM32 inside the Anytone. I actually just ordered a compatible radio a few days ago to finally try out OpenGD77 and that made me think about my own little DMR project again.
This should by no means be interpreted as a request for porting OpenGD77 to the Anytones, just a hint for anyone with a lot of spare time and motivation to pick up a new fight on a new platform.
I personally will be taking a closer look at the RT40s again in the next couple of days because they use an STM8S, which contains a ROM bootloader and they have an exposed SWIM interface. Furthermore, an implementation of a voltage fault injection attack for this very MCU was published a while ago (itooktheredpill.irgendwo.org/2020/stm8- ... protection), so I feel like there's a good chance of getting firmware out of and into the RT40, even if the flash should be locked. I don't know what my endgame is here, but since the manufacturer explicitly states that the Baseband IC supports SMS, maybe the RT40 can serve as a platform to explore and understand data only modes? Let's just see where this goes.
Oh by the way, the current version of the RT40 looks physically different and the latest Retevis CPS won't talk to my old hardware at all, so I suspect that they might have redesigned the hardware too. If someone feels like ordering and tearing down one of those new ones, I'd be curious to learn about the insides.
Best of luck and best regards to all of you
Nico, OE6BZD
I just want to drop something here, the files below contain what seems like fairly comprehensive documentation for the CT3258/SCT3258 DMR Baseband IC:
cdn.hackaday.io/files/1642237026116832/ ... t_v2_0.pdf
cdn.hackaday.io/files/1642237026116832/ ... asheet.pdf
cdn.hackaday.io/files/1642237026116832/ ... erface.pdf
cdn.hackaday.io/files/1642237026116832/ ... _Setup.pdf
I found those a few years ago, while fooling around with the Retevis RT40 PMR/DMR Tier I radios (actually turned out to be fully Tier II compatible: hackaday.io/project/164223-retevis-rt40 ... ngineering), which use that same Baseband IC. The datasheets don't seem to be available anywhere else than on my hackaday project page anymore.
The Datasheets for the CT3258 and the SCT3258 only seem to differ in the designation of the IC and in the name of the manufacturer and since the original manufacturer Sicomm was aquired by CML Microcircuits in 2016, I'm thinking that maybe they really only changed the designation and that maybe the packet interface of the SCT3258 is backwards compatible.
Why would this be relevant? Because the SCT3258 is apparently being used as the Baseband IC in the Anytone 878.
I am absolutely amazed by what you guys have accomplished for the GD77 with incomplete documentation of the baseband IC, so I'm wondering what you might be capable of, with the possibly complete documentation of the SCT3258 and the STM32 inside the Anytone. I actually just ordered a compatible radio a few days ago to finally try out OpenGD77 and that made me think about my own little DMR project again.
This should by no means be interpreted as a request for porting OpenGD77 to the Anytones, just a hint for anyone with a lot of spare time and motivation to pick up a new fight on a new platform.
I personally will be taking a closer look at the RT40s again in the next couple of days because they use an STM8S, which contains a ROM bootloader and they have an exposed SWIM interface. Furthermore, an implementation of a voltage fault injection attack for this very MCU was published a while ago (itooktheredpill.irgendwo.org/2020/stm8- ... protection), so I feel like there's a good chance of getting firmware out of and into the RT40, even if the flash should be locked. I don't know what my endgame is here, but since the manufacturer explicitly states that the Baseband IC supports SMS, maybe the RT40 can serve as a platform to explore and understand data only modes? Let's just see where this goes.
Oh by the way, the current version of the RT40 looks physically different and the latest Retevis CPS won't talk to my old hardware at all, so I suspect that they might have redesigned the hardware too. If someone feels like ordering and tearing down one of those new ones, I'd be curious to learn about the insides.
Best of luck and best regards to all of you
Nico, OE6BZD